[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Linux locked accounts and PAM

From: "Scott Ruckh" <sruckh gemneye org>
To: "Dan Yefimov" <dan nf15 lightwave net ru>, "Pluggable Authentication Modules" <pam-list redhat com>
Cc:
Subject: Re: Linux locked accounts and PAM
Date: Sat, 4 Oct 2008 15:31:49 -0700

On 04.10.2008 22:13, Scott Ruckh wrote:
Instead of prefixing hash with "!" use "*" instead.  Still an impossible
password hash, and will work with PKA.
That won't work. pam_unix.so pam_sm_acct_mgmt() doesn't check passwordhash at all. The matter is that SSH public key authentication can be usedto bypass password hash based authentication and restrictions it mayimpose, i. e. it allows other host to connect as a service account forbackup purpose, for example, while it's still impossible to log in as thataccount in general. So in order to disallow some user logging in one mustalso either modify sshd_config or rename ~user/.ssh/authorized_keys toreflect the logging in prohibition, in addition to locking that userpassword hash.
--

I was under the impression the question was how to use PKA and allow loginsbut do not allow interactive shell logins through passwords entered usingkeyboard. In my experience when the password hash is just "!!" PKA is notallowed, but if the password hash is "**", then PKA is allowed. Iapparently mis-understood the original question. In my environment theuser's .ssh directories are set so that only a root user can modify theauthorized_keys file, the AllowGroups directive is used in the sshd_configfile, and pam_access is used.

Follow-Ups:
- Re: Linux locked accounts and PAM
  - From: Max Bowsher

References:
- Linux locked accounts and PAM
  - From: Max Bowsher
- Re: Linux locked accounts and PAM
  - From: Scott Ruckh
- Re: Linux locked accounts and PAM
  - From: Dan Yefimov

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]